From cb5efbe9f2d566ea321c76b043aa5e669689361d Mon Sep 17 00:00:00 2001 From: Colin Saliceti Date: Wed, 27 Nov 2024 17:26:36 +0000 Subject: [PATCH] Sanitised backup: replace artifacts with Azure storage We have more controls in place around Azure storage --- .github/workflows/database.yaml | 94 ++++++++++++++++++++++++++------- 1 file changed, 74 insertions(+), 20 deletions(-) diff --git a/.github/workflows/database.yaml b/.github/workflows/database.yaml index 400116ccc..d4b262f7d 100644 --- a/.github/workflows/database.yaml +++ b/.github/workflows/database.yaml @@ -78,6 +78,7 @@ jobs: fi echo "BACKUP_FILE=${BACKUP_FILE}" >> $GITHUB_ENV echo "KEYVAULT_NAME=${AZURE_RESOURCE_PREFIX}-${SERVICE_SHORT}-${CONFIG_SHORT}-inf-kv" >> $GITHUB_ENV + echo "SANITISED_FILE_NAME=afqts_sanitised_$(date +"%F")" >> $GITHUB_ENV - name: Fetch secrets from key vault uses: azure/CLI@v2 @@ -109,50 +110,103 @@ jobs: - name: Sanitise dump if: github.event_name == 'schedule' run: | - gzip -d --to-stdout backup.sql.gz | psql -d postgres + gzip -d --to-stdout ${{ env.BACKUP_FILE }}.sql.gz | psql -d postgres psql -d postgres -f db/scripts/sanitise.sql - pg_dump -E utf8 --compress=1 --clean --if-exists --no-owner --verbose --no-password -f backup-sanitised.sql.gz + pg_dump -E utf8 --compress=1 --clean --if-exists --no-owner --verbose --no-password -f ${SANITISED_FILE_NAME}.sql.gz env: PGUSER: postgres PGPASSWORD: postgres PGHOST: localhost PGPORT: 5432 - - name: Upload sanitised backup + - name: Upload sanitised backup to Azure Storage if: github.event_name == 'schedule' - uses: actions/upload-artifact@v4 - with: - name: backup-sanitised - path: backup-sanitised.sql.gz - retention-days: 3 + run: | + STORAGE_CONN_STR=$(az storage account show-connection-string -g ${{ env.RESOURCE_GROUP_NAME }} -n ${{ env.STORAGE_ACCOUNT_NAME }} --query 'connectionString') + echo "::add-mask::$STORAGE_CONN_STR" + + az storage blob upload --container-name database-backup \ + --file ${SANITISED_FILE_NAME}.sql.gz --name ${SANITISED_FILE_NAME}.sql.gz --overwrite \ + --connection-string "${STORAGE_CONN_STR}" + rm ${SANITISED_FILE_NAME}.sql.gz restore-preproduction: name: Restore preproduction needs: [backup] if: ${{ github.event_name == 'schedule' }} runs-on: ubuntu-latest - environment: preproduction + environment: production + env: + GLOBAL_CONFIG: preprod steps: - name: Checkout code uses: actions/checkout@v4 - - name: Download sanitised backup - uses: actions/download-artifact@v4 + - name: Set environment variables + run: | + source global_config/${GLOBAL_CONFIG}.sh + tf_vars_file=${TF_VARS_PATH}/${CONFIG}/variables.tfvars.json + APP_ENVIRONMENT=$(jq -r '.app_environment' ${tf_vars_file}) + echo "APP_NAME=${SERVICE_NAME}-${APP_ENVIRONMENT}-web" >> $GITHUB_ENV + echo "SANITISED_FILE_NAME=afqts_sanitised_$(date +"%F").sql.gz" >> $GITHUB_ENV + echo "CLUSTER_RG=s189t01-tsc-ts-rg" >> $GITHUB_ENV + echo "CLUSTER_NAME=s189t01-tsc-test-aks" >> $GITHUB_ENV + echo "RESOURCE_GROUP_NAME=s189p01-afqts-pd-rg" >> $GITHUB_ENV + echo "STORAGE_ACCOUNT_NAME=s189p01afqtsdbbkppdsa" >> $GITHUB_ENV + + # Download backup from production storage account + - uses: azure/login@v2 with: - name: backup-sanitised + creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Set Connection String + run: | + STORAGE_CONN_STR=$(az storage account show-connection-string -g ${RESOURCE_GROUP_NAME} -n ${STORAGE_ACCOUNT_NAME} --query 'connectionString') + echo "::add-mask::$STORAGE_CONN_STR" + echo "AZURE_STORAGE_CONNECTION_STRING=$STORAGE_CONN_STR" >> $GITHUB_ENV + + - name: Download Backup from Azure Storage + run: | + az config set extension.use_dynamic_install=yes_without_prompt + az config set core.only_show_errors=true + az storage azcopy blob download --container database-backup \ + --source ${{ env.SANITISED_FILE_NAME }} --destination ${{ env.SANITISED_FILE_NAME }} - - uses: ./.github/actions/set-kubernetes-credentials + # Restore backup to preproduction database + - uses: azure/login@v2 with: - environment: preproduction - azure-credentials: ${{ secrets.AZURE_CREDENTIALS }} + creds: ${{ secrets.AZURE_CREDENTIALS_PREPRODUCTION }} + + - name: Setup postgres client + uses: DFE-Digital/github-actions/install-postgres-client@master + with: + version: 14 - name: Install kubectl uses: DFE-Digital/github-actions/set-kubectl@master - - name: Install konduit - run: make install-konduit + - uses: DFE-Digital/github-actions/set-kubelogin-environment@master + with: + azure-credentials: ${{ secrets.AZURE_CREDENTIALS_PREPRODUCTION }} + + - name: K8 setup + run: | + az aks get-credentials --overwrite-existing -g ${CLUSTER_RG} -n ${CLUSTER_NAME} + kubelogin convert-kubeconfig -l spn + # install konduit + curl -s https://raw.githubusercontent.com/DFE-Digital/teacher-services-cloud/master/scripts/konduit.sh -o ./konduit.sh + chmod +x ./konduit.sh - - name: Restore sanitised backup - shell: bash - run: bin/konduit.sh -i backup-sanitised.sql.gz -c apply-for-qts-preproduction-web -- psql + - name: Restore backup to aks env database + run: | + ./konduit.sh -i ${SANITISED_FILE_NAME} -c -t 7200 -x ${APP_NAME} -- psql + + - name: Restore Summary + if: success() + run: | + NOW=$(TZ=Europe/London date +"%F %R") + echo "RESTORE SUCCESSFUL!" >> $GITHUB_STEP_SUMMARY + echo "APP: ${APP_NAME}" >> $GITHUB_STEP_SUMMARY + echo "BACKUP FILE RESTORED: ${STORAGE_ACCOUNT_NAME} / database-backup / ${SANITISED_FILE_NAME}" >> $GITHUB_STEP_SUMMARY + echo "AT: ${NOW}" >> $GITHUB_STEP_SUMMARY